Scientific research often uses personal data of participants in their research. All processing of personal data is subjected to the General Data Protection Regulation (GDPR). If you use personal data in your research, you can download the poster with information <HERE>. Any additional information can be found below. If you still have unanswered questions, contact your Privacy Contact Person (PCP) or the Data Protection Officer team (in Dutch: FG team).
A short clarification on terminology: If you collect personal information from person A, person A is called the data subject of your research.
Personal data is every kind of information that can be used to identify a living individual, f.e. name, email address, location. Be careful: this can also be a combination of in itself non-identifiable parameters but when combined, will lead you to a person, like a age, sex, and profession.
This will also include video and audio files!
More information about lawfulness and the GDPR.
The processing of personal data in research must be proportionate to the intended purpose of the research. This means that personal data must be limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’). Do not collect more data than you need to answer your research question.
There are three criteria under which you will have to do a DPIA (data protection impact assessment).
- A systematical and extended judgement of personal aspects of a living person
- Large-scale processing of special personal data
- Systematic and large-scale monitoring of public space
In practice, this means that a formal privacy impact assessment won’t be often needed. However, we advise you to do a small scale PIA, since this will bring to light which measures you can take to secure the personal data. <ADD HERE HOW YOU CAN DO THIS>
In your data management plan describe how you will handle sensitive data.
- What kind of data you will be using (Keep in mind data limitation and data minimization)
- If, when, and why you are using personal data.
- How you are going to anonymise this. If this is not possible, how are you going to pseudonymise the data. (See below)
- What you will put in your informed consent form. For tips, see below.
- Which procedures you will put in place to guarantee data subjects' rights. (See below)
- How the data will be stored securely and safely.
- Which researchers will have access to the data.
- How this access is provided and how it can be retracted.
- How long you will store the data and who responsible for deleting it after this period.
- How you will turn your dataset with personal information into a file that follows the FAIR principles. ('We will not' is a valid answer)
- What privacy statements you will use.
- How you will handle third-party agreements.
Communication to the persons from who you collect personal data:
Participants or data subjects have specific rights under the GDPR. You will need to communicate to the data subjects how they can exercise these rights.
Communicating with your data subjects can be done through flyers, the information letter with the consent form, and privacy statements on f.e. websites. For guidance on the content of an information letter go to the informed consent procedure.
Communication to persons working in your project:
In each project, you will have to communicate the privacy measures you've taken and procedures you've implemented with your project partners. The measures and procedures should be described in your Data Management Plan. You can turn this into a quick reference guide for your partners, describe them in your project manual, or in project presentation. Just make sure everyone knows about them.
The UT is responsible to keep a register of all processing of personal data. Every researcher is responsible for registering his/her own research at this register. Report any new processing which uses personal data to the Data Protection Officer (DPO) team.
This can be registered via the following link: Report processing.
The Privacy Contact Person (PCP) of your faculty is able to support you.
When you think about data management plan first, you will see that you can use most answers from the DMP in the questions for the register.
The GDPR amplifies the position of data subjects regarding the protection of their privacy. For instance, data subjects are afforded more rights, such as the right to erasure, to data portability, to the restriction of processing and to the objection to processing. In addition, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling. These rights supplement existing rights of access, rectification and removal.
In the practice of day to day research this means you will need to guarantee the rights of data subjects. They should be able to know:
- What data we have collected about them.
- How to be deleted from the dataset (up to XX hours after research).
- We will stop collecting data as soon as they indicate it.
- How to file a complaint.
- Which third parties their data will be shared with.
Some of these rights can be hard to implement. Data subjects have the right to have their information deleted from the database, the right to have their information kept up to date, and the right to object to processing. Some practical tips:
- Put in the informed consent form that data subjects can have their data removed up to 48 (or any time you chose) hours after the research has taken place. This will give them the opportunity to retract their data, but it will enable you to start with processing the data within a reasonable timeframe.
- You will need to keep personal data up to date. Make sure to put in the correct headers on the kind of data you will be collecting. Do not put in 'Age of subject', since that will change every year. Put in 'Age at time of research'. This will not change.
- If you have any specific requests or difficulties, put them in the consent form. As long as you have this specific consent of the data subjects, you can process the data as you wish.
As a researcher, you will need to put processes in place to be sure you can respect those rights.
If you want to collect and process personal data from a living person, you will need to get their informed consent. Informed consent consists of an information letter and a consent form on which the data subject can give consent for specific statements concerning their privacy and use of personal data. (In most research with subjects, informed consent needs to be given for the purpose of the research. The informed consent we are talking about is specific to data gathering, processing, and storing).
Important is to describe in the information letter:
- What is the goal of your research
- What data will you be collecting in order to achieve this goal. (And only this goal.)
- What will happen to the data (processing, storage, archiving, and possibly deletion)
- How can they exercise their rights.
- What happens to the data once the research is finished (Anonymize, Open Data, Deletion)
- What will happen to the data if you want to present the data at conferences or in a paper. (You can only present data if anonymised, or if you have the appropriate consent.)
- In clear and simple language
- Do not use one blank statement for all privacy option. Give options for different aspects.
Examples of informed consent forms are available at the website of UT ethics committees, e.g. BMS, EWI, ITC <<OP HET MOMENT NOG NIET UP TO DATE>>
Anonymise your data as quickly as possible.
Anonymisation means there is no subject in the dataset that can be traced back to a unique living person. You can do this by deleting all personal information and replacing it with an anonymised identifier (Subject 1,2,3, etc). However, this can not be done in all cases, for instance, when you collect 24-hour location data or when you can identify someone by combining different parameters in your dataset. In that case, you will need to pseudonymise.
Anonymisation might be difficult not only because of technical reasons. Each data subject has the right to know which of his/her personal data we are storing. So you have two options:
1) You explain in the consent form that the data will be anonymised as soon as possible. After the data has been anonymised, it is not possible for a subject to delete his data from the system. Therefore subjects will have XXX hours in which they can object to the use of their data or ask for the data to be retracted. As soon as the data is anonymised, the personal data will be deleted.
2) You pseudonymise the data. You can not directly identify a living person from the data file, but you will be able to retrace someone. This means you store all personal data in a separate file. In the data file, you code the data subjects from 1 to x. In the third file, you store the key by which you can retrace the personal data to the numbering 1-x. This key file will need to be stored securely and in a separate place from both data files. This key will have to be registered at the UT registry as well. If the need to relate the research data to the personal data has become obsolete, delete both the key and the personal data file.
You can only publish or present your research data containing personal data if you have the data subjects' consent to do this. If you have no consent, make sure that the personal data is fully anonymised.
See also UT Research Support 'Publish and preserve your research'
At the end of your project, you probably must place your research data in a repository. If this is an open repository, make sure your data sets are anonymised. If it is not, make sure to restrict access.
If you cannot restrict access, you will need to archive the data at the UT. Ask your faculty or department what the appropriate data policy is that you will need to follow.
More information on Archiving research data.
Grant providers NWO, STW, EU H2020 and ZonMW already ask you to work according to the so-called FAIR data principles.
FAIR means Findable, Accessible, Interoperable and Re-useable. Ask LISA for more information, but make sure you only make anonymised data openly accessible.